The previous parts covered application security — secrets, code vulnerabilities, and dependency CVEs. This part shifts to the infrastructure side. The Terraform in the repo describes the AWS resources the app would run on. If that infrastructure is misconfigured, it doesn't matter how clean the application code is. IaC scanning catches those misconfigurations before terraform apply ever runs. Code repo: https://github.com/pkkht/devsecops-demo/ What IaC scanning is Infrastructure as Code scanning analyses your Terraform, CloudFormation, Kubernetes manifests, or Helm charts for security misconfigurations. It works the same way as SAST — static analysis, no cloud connection required. It checks your configuration files against a library of security rules and tells you what's wrong and how to fix it. The value is catching misconfigurations at code review time rather than after they've been deployed to a live environment. An open S3 bucket found in a Terraform file takes seconds to fix.…